Security experts say there’s no need to go back to paper: A few easy steps can keep your e-tickets and smartphone safe.

From air travel to concerts and sporting events, we’re using mobile ticketing more than ever. The nation’s largest commuter rail systems—the Metropolitan Transit Authority’s (MTA) Long Island Rail Road and Metro-North in New York and NJ Transit in New Jersey—have all gone paperless, allowing customers to use apps to purchase tickets, which they then display on their smartphones for QR code scanning. And now, even the New York City subway and bus systems are testing mobile payments.

advertisement

advertisement

But as with any digital step forward, there is always a hacker or scam artist looking to trip us up—and some of the ways they do it may surprise you. Fast Company talked with Jonathan Donovan, chief product officer at London-based Masabi, the company behind the MTA e-ticketing project, for some tips on how to keep your tickets and phones safe.

Report Stolen/Lost Phones Immediately

Having a mobile ticket stolen or losing your only digital copy of it can be easier to deal with than losing a physical ticket, says Donovan. And as with a credit card, it’s best to report the loss or theft to whoever issued the ticket as soon as possible.

“Mobile ticketing is better than traditional physical ticketing in the case of a passenger losing a ticket, or having the ticket stolen— especially if it is a commuter monthly or annual ticket worth hundreds/thousands of dollars,” writes Donovan in an email to Fast Company. “Once they have reported the loss to the transit agency, the old tickets can be blocked, and then when they get a new phone, a brand-new ticket can be issued to the original owner free of charge, with no risk to the transit agency that the old ticket might also be still in use.”

Be Careful With Screenshots

“Overall, if you have an app QR code or e-ticket on your phone, the general sense is you should treat it as a password,” says James Nguyen, a product manager for mobile at Norton by Symantec. Just as you wouldn’t post your email password to social media, you should avoid posting pictures or screenshots of tickets that include those codes. That’s because they could be used by thieves to take a trip or go to an event in your name. Even taking screenshots that include the codes can be risky if your phone is set to sync pictures to a cloud provider, since you’re relying on that provider’s security to keep your tickets from falling into the wrong hands.

Keep Your Phone Free From Malware

Smartphone malware could capture images of tickets and upload them to thieves, Nguyen says. That means digital tickets are another good reason to keep phones patched, only download apps from reputable stores and developers, and consider anti-malware software.

Watch Out For Shoulder Surfers

Depending on the value of a ticket, someone could theoretically even attempt to steal it by snapping a picture while it’s being displayed, says Andrew Blaich, a security researcher at San Francisco mobile security company Lookout. “If you’re showing your QR code on the screen and somebody may be looking at your screen, they could potentially take a picture of that,” he says. Just like with passwords, it’s best to keep your e-tickets out of view when they’re not needed.

advertisement

Keep An Eye Out For High-Tech Skimmers

And while they haven’t been reported yet, there’s no reason why thieves wouldn’t be able to install decoy devices in public places like train stations or event venues that claim to validate tickets. Those would be like hidden credit card skimmers, which for years have cloned cards while customers used them at gas pumps and ATMs. As with credit cards, consumers should avoid using their tickets with any scanning machines that look suspicious, says Nguyen.

“Sometimes it’s difficult, but you can be diligent about noticing additional hardware or wires come out of the scanning equipment,” he says. When in doubt, skip the machines and talk to a human in a uniform, if there’s one around.

Lock Down Your Phone, Bluetooth Included

Locking your phone when it’s not in use, and using strong passwords and two-factor authentication when possible, will also help keep tickets and other confidential data safe from physical snooping, says Blaich.

Phone users should also keep unnecessary network connections, especially Bluetooth, disabled when they’re not using them, says Nadir Izrael, CTO of Armis. The Palo Alto-based security company made headlines in September by revealing a set of Bluetooth vulnerabilities it called Blueborne. Izrael says it’s quite possible someone armed with similar exploits will develop a Bluetooth-based virus that can hop from infected devices to nearby vulnerable ones. Such an attack could be launched in a busy area like a train station or stadium—exactly the kinds of places people would have their phones out to show mobile tickets.

“Someone will walk into a crowded space with an infected device, and it will likely just transmit from device to device like an infection would play out,” he says.